Date: Sun, 16 Jun 2002 03:10:04 -0700 (PDT) From: Dmitry Morozovsky <marck@rinet.ru> To: freebsd-bugs@FreeBSD.org Subject: Re: i386/39327: bind ntpd to only one IP Message-ID: <200206161010.g5GAA4W13217@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR i386/39327; it has been noted by GNATS.
From: Dmitry Morozovsky <marck@rinet.ru>
To: =?KOI8-r?Q?Noel_K=F6the?= <fbsd@koethe.net>
Cc: freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: i386/39327: bind ntpd to only one IP
Date: Sun, 16 Jun 2002 14:01:07 +0400 (MSD)
On Sat, 15 Jun 2002, Noel Köthe wrote:
NK> >Description:
NK> Its not possible to bind the ntp Daemon to only one IP address.
Here is the possible patch we use for our jail systems (I know ntpd is
contributed, so the patch should be discussed both with FreeBSD
maintainers and ntpd author)
It is quick'n'dirty solution -- only command-line -h option available to
restrict bind list. more appropriate fix would also contain config-file
directive.
Sincerely,
D.Marck [DM5020, DM268-RIPE, DM3-RIPN]
------------------------------------------------------------------------
*** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru ***
------------------------------------------------------------------------
Index: contrib/ntp/ntpd/cmd_args.c
===================================================================
RCS file: /ncvs/src/contrib/ntp/ntpd/cmd_args.c,v
retrieving revision 1.1.1.1.2.1
diff -u -r1.1.1.1.2.1 cmd_args.c
--- contrib/ntp/ntpd/cmd_args.c 21 Dec 2001 17:39:12 -0000 1.1.1.1.2.1
+++ contrib/ntp/ntpd/cmd_args.c 11 May 2002 17:09:07 -0000
@@ -14,8 +14,9 @@
*/
extern char const *progname;
int listen_to_virtual_ips = 0;
+u_long bindonlyaddress = 0;
-static const char *ntp_options = "aAbc:dD:f:gk:l:LmnN:p:P:qr:s:t:v:V:x";
+static const char *ntp_options = "aAbc:dD:f:gh:k:l:LmnN:p:P:qr:s:t:v:V:x";
#ifdef HAVE_NETINFO
extern int check_netinfo;
@@ -76,6 +77,17 @@
++errflg;
break;
#endif
+ case 'h':
+ do {
+ struct in_addr addr;
+
+ if (inet_aton(ntp_optarg, &addr) <= 0)
+ msyslog(LOG_ERR,
+ "bad ip address: %s", ntp_optarg);
+ else
+ bindonlyaddress = addr.s_addr;
+ } while (0);
+ break;
case 'L':
listen_to_virtual_ips = 1;
break;
@@ -214,6 +226,9 @@
allow_panic = TRUE;
break;
+ case 'h': /* already done at pre-scan */
+ break;
+
case 'k':
getauthkeys(ntp_optarg);
break;
@@ -263,7 +278,7 @@
}
} while (0);
break;
-
+
case 's':
stats_config(STATS_STATSDIR, ntp_optarg);
break;
Index: contrib/ntp/ntpd/ntp_io.c
===================================================================
RCS file: /ncvs/src/contrib/ntp/ntpd/ntp_io.c,v
retrieving revision 1.1.1.3.2.1
diff -u -r1.1.1.3.2.1 ntp_io.c
--- contrib/ntp/ntpd/ntp_io.c 21 Dec 2001 17:39:13 -0000 1.1.1.3.2.1
+++ contrib/ntp/ntpd/ntp_io.c 11 May 2002 17:06:56 -0000
@@ -131,6 +131,8 @@
fd_set activefds;
int maxactivefd;
+extern u_long bindonlyaddress;
+
static int create_sockets P((u_int));
static int open_socket P((struct sockaddr_in *, int, int));
static void close_socket P((int));
@@ -229,14 +231,22 @@
*/
inter_list[0].sin.sin_family = AF_INET;
inter_list[0].sin.sin_port = port;
- inter_list[0].sin.sin_addr.s_addr = htonl(INADDR_ANY);
- (void) strncpy(inter_list[0].name, "wildcard",
- sizeof(inter_list[0].name));
- inter_list[0].mask.sin_addr.s_addr = htonl(~ (u_int32)0);
+ if (!bindonlyaddress) {
+ inter_list[0].sin.sin_addr.s_addr = htonl(INADDR_ANY);
+ (void) strncpy(inter_list[0].name, "wildcard",
+ sizeof(inter_list[0].name));
+ inter_list[0].mask.sin_addr.s_addr = htonl(~ (u_int32)0);
+ inter_list[0].flags = INT_BROADCAST;
+ } else {
+ inter_list[0].sin.sin_addr.s_addr = inet_addr("127.0.0.1");
+ (void) strncpy(inter_list[0].name, "loopback",
+ sizeof(inter_list[0].name));
+ inter_list[0].mask.sin_addr.s_addr = inet_addr("255.0.0.0");
+ inter_list[0].flags = INT_LOOPBACK;
+ }
inter_list[0].received = 0;
inter_list[0].sent = 0;
inter_list[0].notsent = 0;
- inter_list[0].flags = INT_BROADCAST;
any_interface = &inter_list[0];
#if _BSDI_VERSION >= 199510
@@ -508,6 +518,13 @@
sizeof(inter_list[i].name));
# endif
inter_list[i].sin = *(struct sockaddr_in *)&ifr->ifr_addr;
+ if (bindonlyaddress &&
+ inter_list[i].sin.sin_addr.s_addr != bindonlyaddress) {
+ if (debug)
+ printf("ignoring %s - not in bindlist\n",
+ ifr->ifr_name);
+ continue;
+ }
inter_list[i].sin.sin_family = AF_INET;
inter_list[i].sin.sin_port = port;
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206161010.g5GAA4W13217>